WinCertes major update support multiple certificates and export PEM formats

[cshawky]

hi aloopkin First thanks for WinCertes. I wanted to support multiple certificates and include the PEM export within the application so had a go at your project. By adding the PEM export I needed suitable file paths and this grew into a major rework of the registry and options which now provides a tighter interface with the registry for the default certificate (as per aloopkin/Wincertes) and parameter --certname to create unlimited more certificates. It is working well producing certificates for my mail server hMailServer and Visual SVN, two different PEM setup files. I have only tested the HTTP challenge, not the DNS challenge but have not changed the process flow with any of the ACME interfaces. The README.MD has been updated down to the command line parameters. I'm yet to do a detailed review and add more examples. Examples are in the code HandleOptions.

HandleOptions is a little complicated as I have attempted to provide compatibility and a migration path for existing users. i.e. existing data is in the HKLM\Software\WinCertes key, whereas a clean install would use HKLM\Software\WinCertes{certname}.

Please let me know what you think, especially whether it is worth pursuing a merge to you code base or keep them totally separate. If you like what I have done and consider merging, I'll tidy it and finish a couple of TODO features. Before merging it would be good to have someone run a couple of independent tests. I'd hate to cause any issues with your code base. If you don't like it, no problem just let me know one way or the other.

Thanks Chris

[webprofusion-chrisc]

Hi, completely unsolicited comment here: if you're going to the effort of reworking config, you should consider not using the registry. Some users of https://certifytheweb.com have easily 2000 websites per server, that's a lot of registry keys. File based .json configs under ProgramData will serve you well, even better SQLite or LiteDb if you do want to handle large installation. ProgramData is also easy to backup and restore as part of a regular filesystem backup (how users migrate from old servers to new servers is also a consideration).

[cshawky]

Thanks webprofusion-chrisc. A very good point. I normally use xml files, but chose not to digress away from aloopkin's design. For me I only need 2-3 certificates and it was weekend coding over a beer or two. I'm waiting on some feedback from aloopkin to determine if it is worth further effort. It looks like aloopkin is making great progress at merging new features.

[aloopkin]

Hello @cshawky ,

As you may have seen, i've started to work on 1.4.0. Thanks very much for your work, i've actually taken some of your ideas and integrated them in main line code:

• i fixed the rights management for registry using your strategy and extended it to file system
• the PEM files are produced, and passed on to PowerShell. However, i provide only cert and key as separate PEMs: if you need them in the same file, i think it can be done very simply in PowerShell (using Get-Content | Out-File -Append)

I also added features requested by other people, especially to be able to manage more than 2 certificates and improvements to the IIS binding management. This leads me to @webprofusion-chrisc comment (thanks for that!): i also discovered recently that some people want to issue a massive amount of certs on the same machine, for which registry is not adapted for sure.

So for the time being i've chosen not to overhaul massively the options management, so that i keep the backward compatibility, and ease the work for transitioning to file-based configuration instead of registry (or at least give the option to store in files instead of registry). Release 1.5 will be dedicated to that.

Finally, i've initiated a document that describes integration with typical software: i would be really glad if you could provide documentation for hMailServer and Visual SVN integration, as i believe there's now everything to manage their enrollment!

Thanks again for your help and contributions!

[cshawky]

Cool, my first repository on github and pull request ever so I am very pleased to have contributed and had my efforts well received. Yes, I understand the challenges you described and thanks for taking so much of the change/ideas onboard. I'll look at what you have done as soon as I can and try to remerge mine with your latest release. if it works for me, I will document my implementation for hMailServer and SVN as requested.

In terms of the migration to support a file based solutions for options and 1000's certificates may I suggest you implement or define an entry point into that solution. e.g. a placeholder for the --certname (as per my code) or similar as the entry point for the alternate options/certificate management. i.e all current functionality/command line interface remains unchanged unless this parameter is specified. This would be good for maintaining backward compatibility for the registry and allow progression to a file based solution.

FYI, my platform is fairly simple. I do not currently run a web server, so I run a script that opens the firewall, started IIS, stops hMailserver, SVN, runs the certificate utility program (currently LetsEncrypt, now WinCertes), stops IIS, disables firewall rule, restarts hMailServer and SVN. The two services pick up the new certificates. My interest in additional certificates is more for flexibility and testing/exploration of various setups on my VPS.

[aloopkin]

Ideas taken into account and released as part of WinCertes 1.4.0